Less than one month after Cambridge Analytica Whistleblower Christopher Wiley exposed the abuse of (so far) 87 million Facebook users’ data, Facebook Co-Founder, Chairman, and CEO Mark Zuckerburg testified before the US Congress.

On 10 and 11 April, Zuckerberg provided testimony in a joint hearing of the Senate Judiciary and the Senate Committee on Commerce, Science, and Transportation, and then to the House Energy and Commerce Committee. He faced questions on a number of democracy-disrupting and privacy-violating issues to which the social media giant has been a party, not least the composition – and use – of personally identifiable data as part of the Facebook-Cambridge Analytica scandal.

This scrutiny gave rise to uncertainty over what Facebook user data Cambridge Analytica had access to, and of just what this personal data comprised. What began as the personality app “This is Your Digital Life”, designed by researcher Aleksander Kogan and installed by 270 000 Facebook users (which in turn provide access to the data of at least 87 million users), resulted in data consulting firm Cambridge Analytica having access to the private inbox messages of users.

This revelation, whilst a part of the unfolding exposé, was confirmed in the notifications that began appearing at the top of users News Feeds which read “a small number of people who logged in to ‘This is Your Digital Life’ also shared their own News Feed, timeline, posts, and messages which may have included posts and messages from you.”

With a global reach, the scandal has implications for users worldwide. In the European Union, such access to personal data would be prohibited by the proposed ePrivacy Regulation. Current ePrivacy rules on access to the content of communications do not cover Facebook, although this would change under the proposed ePrivacy Regulation.

So far, lobbyists from Facebook and its allies have lobbied Member States in the EU Council successfully to slow down the adoption of the new Regulation – and not even this scandal has been able to persuade EU Ministers (many of whom signed a letter arguing that our fundamental rights should be “balanced” with “digital products and services” of the need that Facebook’s access to private communications needs to be restricted.

On how such abuse could happen, a Facebook spokesperson said: “In 2014, Facebook’s platform policy allowed developers to request mailbox permissions but only if the person explicitly gave consent for this to happen. At the time when people provided access to their mailboxes – when Facebook messages were more of an inbox and less of a real-time messaging service – this enabled things like desktop apps that combined Facebook messages with messages from other services like SMS so that a person could access their messages all in one place. According to our records only a very small number of people explicitly opted into sharing this information. The feature was turned off in 2015.”

Conditions for consent – as per Article 7 of the General Data Protection Regulation (GDPR) – cannot have been met, however, and in particular, the explicit consent of 87 million users to access to and repurposing of their personal data has not been obtained.